Home/ Questions/Q 6771863
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T15:28:58+00:00

Possible Duplicate: PHP: the ultimate clean/secure function I have got this code when I

  • 0

Possible Duplicate:
PHP: the ultimate clean/secure function

I have got this code when I insert a user:

  function RegisterUser($userName, $pass, $email, $reputation, $role, $ban, $date, $ip, $numberAttempts, avatar)//'anonym', 'false',  $myDate,$ip, 0, ''
  {
     $userName= SanitizeString($userName);
     $pass= SanitizeString($pass);
     $email= SanitizeString($email);

      $userName=mysql_real_escape_string($userName);
      $pass=mysql_real_escape_string($pass);
      $email=mysql_real_escape_string($email);

The sanitize function is the following:

   function SanitizeString($var)
   {
       //$var=stripslashes($var);
       $var=htmlentities($var, ENT_QUOTES, 'UTF-8');
       $var=strip_tags($var);
       return $var;
   }

Am I doint the right way to protect myself against a malicious attack (Xss attack, javascript attack, sql injection)..

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Am I doint the right way to protect myself against a malicious attack

    Definitely NO.

    Protection is not something like using one magic method to make all attacks disappear in a puff of smoke.
    You need different scenarios for different attacks. A condoms commonly used for safety. Would you secure your money with a condom? I suppose – no.
    Same here.

    Also, mindless mixing protection techniques will spoil your data.
    For example, if your admin has the ability to post HTML from some onlain editor, this SanitizeString will make it impossible.

    In fact, your function is trying to protect only from XSS and obviously wrong way.
    For the other attacks you need other things. SQL injection protection I described in this answer.

    • 0